mendelson AS4 Software

  • AS4 transaction details

    Transaction details

  • AS4 transaction overview

    Transaction overview

  • AS4 certificates

    Certificate manager (dark mode)

  • AS4 partner

    Partner management (dark mode)


AS4 offers secure B2B document exchange based on web services and was developed by a subcommittee of the Technical Committee of OASIS ebXML Messaging Services. AS4 is in many ways similar to AS2, but works in a Web services context and contains advanced interaction patterns and receipts for message-based transfer business.

AS4 is characterized by the following features:

  • Acknowledgment mechanisms, a reliable messaging and allows a repeat in the case of a lost message
  • Secure data exchange via password authentication, digital signature and encryption
  • Compression and transmission of large volumes of data
  • Pattern for message exchanges that allow a rich variety of interactions between sender and receiver

The mendelson AS4 server is a out-of-the-box solution that supports the AS4 usage profiles ebMS 3.0 AS4, ENTSOG AS4, e-SENS AS4, PEPPOL AS4, BDEW AS4 and ICS2 AS4. You could either pull or push any kind of data, with full encryption, signature and TLS support. Additional services like EESSI (Electronic Exchange of Social Security Information) are also supported because they are based on e-SENS.


  • PUSH messages
  • PULL messages
  • Key and certificate management
  • Partner management
  • Digital signatures, detailed settings for SOAP structure signature and payload signature
  • Message encryption, detailed settings for SOAP structure encrytion and payload encryption
  • Supports fully encrypted SOAP data
  • UserNameToken authentication
  • ENTSOG AS4 Usage Profile support
  • ebMS AS4 Usage Profile support
  • e-SENS AS4 Usage Profile support
  • PEPPOL AS4 Usage Profile support
  • BDEW AS4 Usage Profile support
  • ICS2 AS4 Usage Profile support
  • Usage Profile selectable per user
  • Multiple local identities
  • Full support for message bundling
  • Secure transport (TLS 1.2, TLS 1.3)
  • Support for TLS client authentication
  • System task to auto clear old log entries
  • Multinational support: Localized to german and english
  • Customizable local directory poll processes
  • Customizable remote parter poll processes (PULL request)
  • Local MPC (message processing queue), configurable per partner
  • Sync and async Receipt Signal support


  • Easy integration to existing systems, using a partner based file system interface
  • Integrated scheduler picks up data from directories
  • Message post processing (scripting on receipt)
  • Pluggable into any servlet container like Tomcat, Jetty, ... - contains an integrated Jetty webserver
  • The mendelson AS4 is written in pure Java - this enables an easy Docker and Kuberetes integration


  • Email event notification

Encryption, Signatures and Security Token Authentication


Supports WSS 1.1, WSS X.509 Certificate Token Profile.

The following encryption algorithms are supported:

  • AES_128
  • AES_128_GCM
  • AES_192
  • AES_192_GCM
  • AES_256
  • AES_256_GCM
  • CAMELLIA_128
  • CAMELLIA_192
  • CAMELLIA_256
  • RIPEMD_160
  • RSA_v1dot5
  • 3DES

Key transport

The following key transport algorithms are supported:

  • RSA-OAEP with the digest SHA-1 and the mask generation function SHA1_MGF1
  • RSA-OAEP-11 with the digest SHA-1 and the mask generation function SHA1_MGF1
  • RSA-OAEP-11 with the digest SHA-224 and the mask generation function SHA224_MGF1
  • RSA-OAEP-11 with the digest SHA-256 and the mask generation function SHA256_MGF1
  • RSA-OAEP-11 with the digest SHA-384 and the mask generation function SHA384_MGF1
  • RSA-OAEP-11 with the digest SHA-512 and the mask generation function SHA512_MGF1
  • ECDH-ES with kw-aes128 and the digest SHA-256, key agreement with either X25519 or BrainPoolP256r1 keys


Supports WSS 1.1 [SOAPATTACH], Attachment-Content-Only transform, Attachment-Complete transform

The following hash algorithms are supported:

  • MD5
  • DSA_SHA256
  • ECDSA_SHA224
  • ECDSA_SHA256
  • ECDSA_SHA384
  • ECDSA_SHA512
  • EdDSA-Ed25519
  • RSA_MD5
  • RSA_SHA1
  • RSA_SHA224
  • RSA_SHA256
  • RSA_SHA384
  • RSA_SHA512

Security Token Authentication

Supports WSS Username Token Profile and wsse:PasswordText-type

Accepted certificates

  • Trusted certificates, self signed certificates
  • SHA-1 signed certficates, SHA-2 signed certificates
  • Trusted by any CA


mendelson AS4 could send and receive AS4 messages from and to trading partners via HTTP and HTTPS.

There runs an additional poll thread for every partner that polls special directories per partner and sends matching files to the mendelson AS4 server. An internal pull destination (mpc, message processing channel) could be setup per partner to allow the processing of PULL Request signals from other AS4 systems.

Please have a look at the following diagram for an overview of the included components of the mendelson AS4 package. All these components install out-of-the-box if you are using the installer. The main difference in the architecture between the commercial version and the community version (open source) is that in the commercial version the user interface and the AS4 server are running in different processes and could even run on different machines/operation systems while the server could run as service. The community version acts as a desktop system, user interface and server are running in the same process.

AS4 Server:
The server is the core component. It is responsible for the transaction processing and cares for encryption, digital signatures and the communication to all the other components.

AS4 Client (Rich client)
The AS4 client contains the transaction management, partner management, certificate management (commercial version only). It allows to set all server properties and configure the system.

The database server stores all information about the transactions and the master data of partners, subjects etc.

HTTP Server:
The HTTP server acts as a servlet container for the message receipt servlet. It host also some information pages. The servlet sends received messages to the server. There is a HTTP server included in the installation package but its also possible to deploy the AS4 receiver in any other servlet container.

AS4 Sender:
This component sends AS4 messages and signals to the trading partner. It also receives AS4 data (Signals, User Messages) on the back channel.

Allows the notification via mail if there occurred any event that requires user interaction.



Optional components for the mendelson AS4 (plugin concept)

The basic functionality of the mendelson AS4 can be extended by some functions and architectures by a plugin concept.
We currently offer the following plugins:

  • Plugin Java API
  • Plugin PostgreSQL database
  • Plugin OAUTH2 for SMTP and HTTP authentication
  • Plugin HSM (Hardware Security Module)

Plugin Java API

With the help of this plugin you can access the functions of the mendelson AS4 in your own products by simply including the mendelson AS4 as lib in your Java projects. You then have the possibility to use the send and receive functions of the mendelson AS4 via a simple java API without needing a running mendelson AS4 server.
Save yourself the time and effort of implementing the proven functions of the mendelson AS4 yourself and benefit from mendelsons know-how.

Plugin PostgreSQL database

This plugin allows you to replace the internal supplied HSQLDB database with an external database system (PostgreSQL), which of course can also run on another system. Part of this plugin is also a wizard for data migration of your previous dataset.
This plugin has been tested with several versions of PostgreSQL (12.1, 12.4, 13.0, 13.1) and runs also fine with the PostgreSQL databases of cloud providers (e.g. AWS PostgreSQL).

Plugin OAUTH2

This plugin adds OAUTH2 authentication posibilities to the AS4 message send process, async MDN send process and the mail notification process via SMTP.

Plugin HSM

This plugin allows to integrate HSM (Hardware Security Modules). It allows to manage your private keys and execute cryptographic operations in external devices/smartcards to harden your security. The communication interface to your HSM is PKCS#11.